82b3bc554c3ed5e698153da5badfd3973e337c49ee8477847b2ca0fdda98b895 | Triage

Analysis

max time kernel
65s
max time network
116s
platform
windows10_x64
resource
win10
submitted
07/07/2020, 09:09

Sharing

Report Analysis Logs

General

Target

Purchasing Doc_ 6000019430.exe
Size

793KB
MD5

e956a3cc966ca07ff6d7e56bbd78b2c4
SHA1

39429f7fb9ab18a29c84af8b49eec67b036532f2
SHA256

82b3bc554c3ed5e698153da5badfd3973e337c49ee8477847b2ca0fdda98b895
SHA512

83a9b4fcb38c36049b522cb180146ce5087d9cb020e370b3ad85baa4acf12628276f9f74406ea4a229f3d58dbff4fa708f96df84ddef7fd9446674ee3cf351d7

Score

3^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe
736	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
736	3280	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	736	WerFault.exe
Token: SeBackupPrivilege	736	WerFault.exe
Token: SeDebugPrivilege	736	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe
"C:\Users\Admin\AppData\Local\Temp\Purchasing Doc_ 6000019430.exe"
1⤵
PID:3280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1140
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-0-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/736-1-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/736-4-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/736-63-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download